FDA Warns on Abbott's St. Jude Pacemakers and Defibrillators

The U.S. Food and Drug Administration issued a blistering criticism of Abbott Laboratories for failing to properly investigate and resolve risks related to its implanted heart devices, including cybersecurity threats and a battery malfunction linked to two patient deaths.

The FDA's made the criticisms in a warning letter sent to Abbott on Wednesday, following an inspection of the medical-device maker's facilities in Sylmar, Calif., in February. The letter relates to pacemakers and defibrillators that Abbott acquired earlier this year in its $25 billion takeover of St. Jude Medical Inc.

Continue Reading Below

All of the issues described in the letter occurred before Abbott completed the acquisition in January, an Abbott spokesman said. Abbott says it has since fixed the cybersecurity vulnerabilities and battery problems.

"We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA's warning letter, and are committed to fully addressing FDA's concerns," the Abbott spokesman said in an email.

Analysts said the FDA's letter, which describes the company overlooking or omitting early signals of product defects or vulnerabilities, could hurt Abbott's reputation among cardiologists.

Abbott shares fell 1.8% to $42.69 in Thursday afternoon trading.

The letter requires Abbott to provide a written description of the steps it has taken to correct the violations identified by FDA inspectors, and an explanation of how it will prevent similar violations from occurring in the future. If Abbott fails to correct the violations, the FDA could seek to implement an injunction, conduct a seizure and issue monetary fines. The FDA said it wouldn't make any approvals related to the heart devices until the violations are corrected.

Advertisement

The letter addresses two recent controversies involving St. Jude's devices: a report by Muddy Waters Capital LLC last year that St. Jude's pacemakers and defibrillators were vulnerable to hacking, and the company's recall of certain of defibrillators last year because of a battery malfunction.

In October 2016, St. Jude warned that about 250,000 of its heart defibrillators in the U.S. could stop working because of rapid battery depletion, and that two patient deaths were linked to the problem. The company said the malfunction was rare and most patients already implanted with the devices wouldn't need to have them replaced unless they received an alert.

But in the weeks after issuing the recall, St. Jude shipped 10 of the devices to its sales representatives and an additional seven patients were implanted with the recalled defibrillators, the FDA said in its warning letter. The devices provide pacing for slow heart rhythms and electrical shock or pacing to stop dangerously fast heart rhythms.

The FDA letter also suggested that St. Jude should have recognized the risk from the battery issue earlier than it did. From 2011 to 2014, St. Jude received evidence from its battery supplier that the malfunction was caused by lithium deposits in the batteries, the FDA said in its letter. But St. Jude "repeatedly concluded that the cause of premature depletion of" the batteries "'could not be determined,'" the FDA said.

As early as 2011, St. Jude had evidence that lithium clusters had formed in prematurely depleted batteries, the FDA letter said, but the company "failed to identify" the issue as a "hazardous situation."

In November 2014, St. Jude failed to present "relevant and complete information concerning the premature battery depletion issue" to its medical advisory board and management review board, the FDA said. For instance, the company only presented rates of battery depletions that were "confirmed" to be caused by lithium clusters, the FDA said. By failing to consider the "unconfirmed" cases of lithium clusters, "your firm underestimated the occurrence of the hazardous situation," the FDA said.

St. Jude told its management review and medical advisory boards that "there were no serious injury or death directly related to lithium cluster formations," despite having completed a review months earlier "of the first patient death related to the issue," the FDA said. St. Jude's review found that the cause of the death "'could not be determined,' despite evidence of lithium bridges, provided by your supplier," the FDA said.

"This death was not disclosed," in presentations to the management and medical advisory boards, the FDA said.

Muddy Waters Capital issued a report in August 2016 alleging that hackers could "crash" the company's pacemaker and defibrillator systems, or drain their batteries, by hacking into external devices that transmit and receive data from the heart devices. Muddy Waters Capital, an investment firm, said it had a short position in St. Jude's shares, meaning it was betting that the shares would decline in value. St. Jude denied the allegations and sued Muddy Waters Capital.

The FDA said in its Wednesday letter that St. Jude failed to follow its own procedures for identifying product and quality problems when it evaluated a "third party report" dated August 25, 2016 -- an apparent reference to the Muddy Waters Capital report. St. Jude failed to "confirm all required corrective and preventive actions were completed, including a full root cause investigation" of "potential cybersecurity vulnerabilities," the FDA said.

Shortly after completing its acquisition of St. Jude, Abbott released a security patch for the devices, which it said secured them against hacking. At the time, the FDA confirmed that the devices had previously been vulnerable to cyber-hacking, but that no patients had been harmed because of the vulnerabilities.

St. Jude also failed to incorporate into its risk-assessments the findings of a separate cybersecurity analysis that the company commissioned from a third party in 2014, the FDA's letter said. By failing to incorporate the findings, St. Jude caused its "risk estimations to be acceptable, when, according to the report, several risks were not adequately controlled," the letter said.

Write to Joseph Walker at joseph.walker@wsj.com

The U.S. Food and Drug Administration issued a blistering criticism of Abbott Laboratories for failing to properly investigate and resolve risks related to its implanted heart devices, including cybersecurity threats and a battery malfunction linked to two patient deaths.

The FDA made the criticisms in a warning letter sent to Abbott on Wednesday, following an inspection of the medical-device maker's facilities in Sylmar, Calif., in February. The letter relates to pacemakers and defibrillators that Abbott acquired earlier this year in its $25 billion takeover of St. Jude Medical Inc.

All of the issues described in the letter occurred before Abbott completed the acquisition in January, an Abbott spokesman said. Abbott says it has since fixed cybersecurity vulnerabilities with the greatest risks, and will continue to address other vulnerabilities with additional software updates. The battery problem was fixed with a design update in 2015, the company said.

"We take these matters seriously, continue to make progress on our corrective actions, will closely review FDA's warning letter, and are committed to fully addressing FDA's concerns," an Abbott spokesman said in an email.

Analysts said the FDA's letter, which describes the company overlooking or omitting early signals of product defects or vulnerabilities, could hurt Abbott's reputation among cardiologists.

Abbott shares fell 0.8% to $42.67 on Thursday.

The letter requires Abbott to provide a written description of the steps it has taken to correct the violations identified by FDA inspectors, and an explanation of how it will prevent similar violations from occurring in the future. If Abbott fails to correct the violations, the FDA could seek to implement an injunction, conduct a seizure and issue monetary fines. The FDA said it wouldn't make any approvals related to the heart devices until the violations are corrected.

The letter addresses two recent controversies involving St. Jude's devices: a report by Muddy Waters Capital LLC last year that St. Jude's pacemakers and defibrillators were vulnerable to hacking, and the company's recall of certain of defibrillators last year because of a battery malfunction.

In October 2016, St. Jude warned that about 250,000 of its heart defibrillators in the U.S. could stop working because of rapid battery depletion, and that two patient deaths were linked to the problem. The company said the malfunction was rare and most patients already implanted with the devices wouldn't need to have them replaced unless they received an alert.

But in the weeks after issuing the recall, St. Jude shipped 10 of the devices to its sales representatives and an additional seven patients were implanted with the recalled defibrillators, the FDA said in its warning letter. The devices provide pacing for slow heart rhythms and electrical shock or pacing to stop dangerously fast heart rhythms.

The FDA letter also suggested that St. Jude should have recognized the risk from the battery issue earlier than it did. From 2011 to 2014, St. Jude received evidence from its battery supplier that the malfunction was caused by lithium deposits in the batteries, the FDA said in its letter. But St. Jude "repeatedly concluded that the cause of premature depletion of" the batteries "'could not be determined,'" the FDA said.

As early as 2011, St. Jude had evidence that lithium clusters had formed in prematurely depleted batteries, the FDA letter said, but the company "failed to identify" the issue as a "hazardous situation."

In November 2014, St. Jude failed to present "relevant and complete information concerning the premature battery depletion issue" to its medical advisory board and management review board, the FDA said. For instance, the company only presented rates of battery depletions that were "confirmed" to be caused by lithium clusters, the FDA said. By failing to consider the "unconfirmed" cases of lithium clusters, "your firm underestimated the occurrence of the hazardous situation," the FDA said.

St. Jude told its management review and medical advisory boards that "there were no serious injury or death directly related to lithium cluster formations," despite having completed a review months earlier "of the first patient death related to the issue," the FDA said. St. Jude's review found that the cause of the death "'could not be determined,' despite evidence of lithium bridges, provided by your supplier," the FDA said.

"This death was not disclosed," in presentations to the management and medical advisory boards, the FDA said.

Muddy Waters Capital issued a report in August 2016 alleging that hackers could "crash" the company's pacemaker and defibrillator systems, or drain their batteries, by hacking into external devices that transmit and receive data from the heart devices. Muddy Waters Capital, an investment firm, said it had a short position in St. Jude's shares, meaning it was betting that the shares would decline in value. St. Jude denied the allegations and sued Muddy Waters Capital.

The FDA said in its Wednesday letter that St. Jude failed to follow its own procedures for identifying product and quality problems when it evaluated a "third party report" dated August 25, 2016 -- an apparent reference to the Muddy Waters Capital report. St. Jude failed to "confirm all required corrective and preventive actions were completed, including a full root cause investigation" of "potential cybersecurity vulnerabilities," the FDA said.

Shortly after completing its acquisition of St. Jude, Abbott released a security patch for the devices, which it said secured them against hacking. At the time, the FDA confirmed that the devices had previously been vulnerable to cyber-hacking, but that no patients had been harmed because of the vulnerabilities.

St. Jude also failed to incorporate into its risk-assessments the findings of a separate cybersecurity analysis that the company commissioned from a third party in 2014, the FDA's letter said. By failing to incorporate the findings, St. Jude caused its "risk estimations to be acceptable, when, according to the report, several risks were not adequately controlled," the letter said.